I exported one scheduled job I created. And it should be possible to import that task to other computers using cmd/powershell.
Is there a way to tell schtask that it should use current user that is logged on and use the highest privileges to execute this job?
May help:
All computer are in the same local network and sem system group.
Console where schtask import xml is executed already has admin rights.
schtask \create \tn <myService> \xml <my xml path>
If schtask can somehow prompt for which user to use it would be ok. Even if it will ask for a password.
But I don't want to write user password into cmd as argument (i don't see that option safe for my situation)
Perfect would be to just automatically select the current user that is logged on.
Thank you ;)
I specified to run the script as "User" and it works on all computer. If someone can explain what this User means would be nice
Related
I am trying to set up Jenkins for software hosted in Google Cloud VM. I have a VM with user account A and user account B. Jenkins is hosted in user account A. All the other softwares are hosted in user account B. In order to authorize Jenkins to ssh into userB#VM_ADDRESS, I am placing user A's .ssh/id_rsa.pub into user B's .ssh/authorized_keys. This allows for Jenkins to ssh into userB#VM_ADDRESS to update my software whenever I push changes to Github. However, after awhile, for some reason the .ssh/authorized_keys in user account B is replaced/refreshed and my key is gone, and the ssh from Jenkins would fail with permission denied. How should I solve this? Or am I doing Jenkins wrong?
I saw this thread at https://groups.google.com/g/gce-discussion/c/iHqRb2KlMZg/m/x59xV4pYAQAJ?pli=1 that seems to be a similar problem but after reading through I still do not know what I need to do.
The SSH keys in the metadata are redeployed regularly. To solve the issue, instead of performing manually the copy/paste in the system, copy the key and (add it to the compute engine metadata](https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys)
However, I'm not sure that is the good way to follow. Why you don't log in with the account A, because it's the "reality" and perform action on software? You can put the account A and the account B in the same Linux group, or performing a chown to change the owner of the fresh files at the end.
What's the requirements behind this tricky question?
Update 1:
The fact to use the key of the account A to log into the user B, is like an impersonation. At the end, you don't know if it's the user account A or B which have performed stuff on your file.
Anyway, in linux you have 3 level of permission UGA (User, Group, All), that's why you have something like this when you perform a ls -la: rwxr-xr-- which mean U (User) can do RWX (Read Write eXecute), group can only Read and eXecute and all can only read.
Therefore, if the user account A and user account B are in the same Group, you can set common group permissions and avoid all (others) to access to the files.
I have configured AD on my jenkins server.
Everything is working fine, but in case AD server goes down, I wanna have a fallback user.
I know that AD plugin allows you to do that, but I'm confused with part
Use Jenkins Internal Database and select user this selected user must exist on Jenkins internal DB right?
I have no user create internally, so How can create that user internally? Because I have AD integrated already.
Thank you
The internal user database means XML files under $JENKINS_HOME/users.
The first time you log in with the fallback user, it will update the XML files.
Before the first login, you cannot use the Use Jenkins Internal Database feature.
I discover this behavior reading the source code of the change (full story here (github page)).
I am putting together a web interface for an embedded hardware product (think like your router) that needs the ability to change system files that are owned by root. In particular I need to change the network address and then restart the service.
What is the best way to handle this both for editing the file and securely handling the escalation (preferably outside of the webapp somehow). I had the idea of a user who can sudo with no password for scripts to use that was banned from SSH or Terminal login, but I am unsure if this is the best thing to do security wise as it leaves that user open to attacks that can then escalate privleges.
I effectively want to read ifcfg-eth0, write changes to a temporary file, double check those changes are valid, then write it back to the ifcfg-eth0 original file, finally restart the network interface.
I have a windows service that works fine with my application on the admin user, once I log into a non-admin user I need this user to be able to start,stop, and check the status of the service. I have used advapi32.dll library to be able to do this, but using this I am required to have the name of the users and the name of the service, so I would have to run this program every time a new user is added. I need a way to allow the service to communicate to all users, even newer users created after the service has been installed.
I have been trying to figure it out a way to do this by using Installshield service settings during installation. There is one field that you can create permissions, the only problem is that this is done using SDDL and it looks like this: O:<[%USERDOMAIN]>G:BAD:(D;OICI;GA;;;BG)(A;OICI;GRGWGX;;;<[%USERDOMAIN]>)(A;OICI;GA;;;BA)S:ARAI(AU;SAFA;FA;;;WD)
Does anybody knows a method to do this or can guide me through the SDDL if this is posible?
Thanks
I have read in many forums that mapped drives are not accessible from a service as no user is logged on.
Question 1) I tried making my service as a log on - as some account and i had my network drive mapped in that very account. The service still cannot access it. Why?
Question 2) From the same sevice, i invoke another process. Under what user account will the process run?
Thanks
1) Use UNC paths instead, then you do not need access to mapped drive letters. As to why you cannot access them even when running in the same account, it is hard to say for sure without seeing your actual code.
2) it depends on how you are launching the process. If you use ShellExecute() or CreateProcess(), then it runs in the user account of the calling thread. If you use CreateProcessAsUser(), CreateProcessWithLogonW(), or CreateProcessWithTokenW(), then it runs in the user account that you pass in.
I have faced similar problem wile running JBoss in service mode, my Java code was not able to access Mapped Drive even if i execute the service even after changing "Log on as:" option to the same user who has mapped the drive.
Then I figured out that if I can map the drive using the same service, then it should work.
And finally, adding just a simple command at top of service.bat file resolved the issue.
net use x: \\SERVERNAME\SHARENAME
Services don't have access to mapped drives on XP and beyond, since mapped drives are a per user resource, so they depend on who's logged in. Since it's possible for no-one to be logged in, it's possible that there are no mapped drives.
Your service may map a drive itself.